FALL 2019 TODAY’S GENER AL COUNSEL
Cybersecurity
Preparing for the California Consumer Privacy Act By David M. Stauss and Robert J. Bowman
P
30
rivacy law in the United States is about to undergo a fundamental change when the California Consumer Privacy Act becomes effective on January 1, 2020. Preparing for the CCPA has been complicated by the fact that the California legislature is still considering bills that would amend its terms, and the California Attorney General’s office is charged with drafting interpretive regulations for a law that has not been finalized. Nonetheless, as discussed below, there are many activities that organizations can be engaging in now to ensure that they are not caught unprepared once the CCPA goes into effect. CCPA FUNDAMENTALS
The CCPA is a first-in-the-nation privacy law that will provide numerous privacyrelated rights to California residents. Once it goes into effect, the CCPA will require covered businesses to provide California residents with a number of privacy-related rights. These include the right to know what personal information a business collects and how it shares that information with others, to request that the business provide the specific pieces of personal information it has collected to the individual, to demand that the business delete the individual’s personal information and the right to opt-out of a business’s sales of personal information to third parties. The CCPA applies to “businesses,” defined as any for-profit legal entity that does business in California, collects the personal information of California residents, and satisfies at least one of the following three thresholds: (1) has annual gross revenues in excess of $25,000,000; (2) alone, or in combination, annually buys, receives for the business’s commercial purpose, sells or shares for commercial purposes, alone or in combination,
the personal information of 50,000 or more consumers, households or devices; (3) derives 50 percent or more of its annual revenue from selling consumer’s personal information. The CCPA defines “personal information” broadly to include information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked with a consumer or household. The statute identifies many different
The CCPA is a first-in-the-nation privacy law that will provide numerous privacy-related rights to California residents. types of information that qualify as personal information, including email addresses, IP addresses, browsing history, search history, biometric information, social security numbers, credit/debit card numbers, geolocation data, account names, information regarding a consumer’s interaction with a website, cookies, education information, and professional or employment-related information. The California Attorney General’s office is charged with enforcing the CCPA’s privacy-related rights and is authorized to seek statutory damages of $2,500 for each violation or $7,500 for each intentional violation. The CCPA also establishes a private right of action for data breaches involving certain types of personal information if the breach is caused by a failure to implement and maintain reasonable security procedures
and practices. The CCPA provides for statutory damages of between $100 and $750 per consumer per incident. When this article was written, the legislature was considering bills that would modify some parts of the CCPA if passed. That process will have concluded by September 13, when the legislature closes. However, none of the bills that have survived to date will usher in significant changes that would justify taking a wait-and-see approach to compliance. The CCPA also requires the California Attorney General’s office to promulgate regulations on certain topics. The Attorney General’s office has publicly stated that it will publish those regulations in the fall of 2019. Presumably, this will happen after the legislature finishes with its amendment process. The Attorney General’s office has identified seven categories upon which it may publish regulations: personal information; definition of unique identifiers; exceptions; submitting and complying with verified consumer requests; providing a uniform opt-out logo button; guidance on notices and information to consumers, including financial incentive offerings; and verification of consumer’s requests. Although there certainly are compliance issues that businesses will not be able to deal with until the legislative and regulatory process is finalized, there are many activities that businesses subject to the CCPA should be performing now to ensure compliance. Analyze Your Organizational Chart For companies with complex corporate structures, one of the first steps to CCPA compliance should be analyzing the company’s corporate structure to determine which entities can be considered the same business and which entities must be treated separately. The CCPA’s